10.4.4 Configuring a Custom Header Policy

To inject values into a custom header, you need to know the name of the tag and its expected value type. The names are specific to the application. The names might be case sensitive. They might require an X- prefix. Because the requirements vary, you need to enter them in the format as specified by the application. For example, an application might require the following to be in the custom header:

Name/Value Pair

Description

X-First_Name=givenName

A first name tag with an LDAP attribute value

X-Last_Name=sn

A last name tag with an LDAP attribute value

X-Role=sales_role

A role tag with the role name as the value.

If you create a custom header policy with these name/value pairs, the policy injects these names with their values into a custom header, before sending the request to the web server.

To create such a policy:

  1. Click Policies > Policies.

  2. Select the policy container, then click New.

  3. Specify a name for the policy, select Access Gateway: Identity Injection for the type, then click OK.

  4. (Optional) Specify a description for the injection policy. This is useful if you plan to create multiple custom header policies to be used for multiple resources.

  5. In the Actions section, click New, then select Inject into Custom Header.

  6. Specify the following details:

    Custom Header Name: Specify the name to be inserted into the custom header. These are the names required by your application. If your application requires the X- prefix, ensure that you include the prefix in this field.

    Value: Select the value required by the name. Select one of the following:

    • Authentication Contract: Injects the URI of a local authentication contract that the user used for authentication.

    • Client IP: Injects the IP address associated with the user.

    • Credential Profile: Injects the credentials that the user specified at login. You can select LDAP Credentials, X509 Credentials, or SAML Credentials. For more information, see Section 10.4.3, Configuring an Authentication Header Policy.

    • LDAP Attribute: Injects the value of the selected attribute. For Active Directory servers, specify the SAMAccountName attribute for the username. If the attribute you require does not appear in the list, click New LDAP Attribute to add the attribute.

      The Refresh Data Every option allows you to determine when to send a query to the LDAP server to verify the current value of the attribute. Because querying the LDAP server slows down the processing of a policy, LDAP attribute values are normally cached for the user session.

      Change the value of this option from session to a more frequent interval only on those attributes that are critical to the security of your system or to the design of your work flow. You can select to cache the value for the session, for the request, or for a time interval varying from 5 seconds to 60 minutes.

      For more information, see Using the Refresh Data Option.

    • Liberty User Profile: Injects the value of the selected attribute. If no profile attributes are available, you have not enabled their use in Identity Server configuration. See Managing Web Services and Profiles.

    • Proxy Session Cookie: Injects the session cookie associated with the user.

    • Roles: Injects the roles that have been assigned to the user.

    • Shared Secret: Injects a value that has been stored in the selected shared secret store. Select the shared secret store and the name of the value you want injected.

      You can create your own value. Click New Shared Secret, specify a display name for the store, and the Access Manager creates the store. Select the store, click New Shared Secret Entry, specify a name for the attribute, then click OK. The name you select for the attribute must match the Custom Header name. The store can contain one name/value pair or a collection of name/value pairs. For more information, see Section 10.5.4, Creating and Managing Shared Secrets.

      The Refresh Data Every option allows you to determine when to send a query to verify the current value of the secret. Because querying slows down the processing of a policy, secret values are normally cached for the user session.

      Change the value of this option from session to a more frequent interval only on those secrets that are critical to the security of your system or to the design of your work flow. You can select to cache the value for the session, for the request, or for a time interval varying from 5 seconds to 60 minutes. For more information, see Using the Refresh Data Option.

    • Virtual Attribute: Injects the value of the selected virtual attribute.

      The Refresh Data Every option allows you to determine when to send a query to verify the current value of the virtual attribute. Because querying slows down the processing of a policy, the virtual attribute values are normally cached for the user session.

      Change the value of this option from session to a more frequent interval only on those attributes that are critical to the security of your system or to the design of your work flow. You can select to cache the value for the session, for the request, or for a time interval varying from 5 seconds to 60 minutes. For more information, see Using the Refresh Data Option.

    • X-Forwarded-For IP: Injects the X-Forwarded-For IP address of the client.

    • String Constant: Injects a static value that you specify in the text box. This value is used by all users who access the resources assigned to this policy.

    • Java Data Injection Module: Specifies the name of a custom Java plug-in, which injects custom values into the header. Usually, you can use either the LDAP Attribute or Liberty User Profile option to supply custom values, because both are extensible. For more information about creating a Java plug-in, see NetIQ Access Manager Developer Resources.

    • Data Extension: (Conditional) If you have installed a data extension for Identity Injection policies, this option injects the value that the extension retrieves. For more information about creating a data extension, see NetIQ Access Manager Developer Resources.

    NOTE:To improve the policy's performance, configure the LDAP Attributes, Credential Profile, Liberty User Profile, and Shared Secret attributes to be sent with authentication. For more information, see Configuring the Attributes Sent with Authentication.

  7. Specify the format for the value:

    Multi-Value Separator: Select a value separator, if the value type you have select is multi-valued. For example, Roles can contain multiple values.

    DN Format: If the value is a DN, select the format for the DN:

    • LDAP: Specifies LDAP typed comma notation.

      cn=jsmith,ou=Sales,o=novell
    • NDAP Partial Dot Notation: Specifies eDirectory typeless dot notation.

      jsmith.sales.novell
    • NDAP Leading Partial Dot Notation: Specifies eDirectory typeless leading dot notation.

      .jsmith.sales.novell
    • NDAP Fully Qualified Partial Dot Notation: Indicates eDirectory typed dot notation.

      cn=jsmith.ou=Sales.o=novell
    • NDAP Fully Qualified Leading Dot Notation: Indicates eDirectory typed leading dot notation.

      .cn=jsmith.ou=Sales.o=novell
  8. (Optional) To add additional custom header actions, click New, then select Inject into Custom Header or use the Copy Action icon and modify the new entry.

  9. Click OK > OK > Apply Changes.